DNS Encyclopedia (Work in Progress)
The goal of this DNS encyclopedia is to explain all common DNS concepts within 500 words maximum per topic.
A (Address) Record
The Address record contains a IPv4 quad-four Internet address
usually the host address corresponding to the domain name.
If the host has multiple addresses, multiple A records can be used for
each (for a Round-robin effect).
AAAA (IPv6) Record
The AAAA record contains a single IPv6 address which is the host address
for the domain name.
Commonly, the field may contain eight 16-bit hexadecimal numbers
separated by colons.
The section in the response which may provide resource records for additional information related to records in other sections.
An example is glue records (address records in additional section for
names in the Authority Section).
A resolver or client may choose to ignore the additional section. A resolver or client should ignore unrelated data.
A count of the records in the Additional Section is specified in the DNS header.
the TTL and resource record data provided for the query. Note that the response includes the original query too (domain name and type).
the SOA and NS records are located at the apex, the top-level of a zone. (Commonly the "@" a-sign is used to represent the apex domain name or current origin in a zone file.)
The server that is responsible to provide the data. The data that came from a responsible server. (The flag that indicates the answer was authoritative.)
response section to provide SOA record for no answer responses or provide the referral NS delegations to query next.
An AXFR is a full zone transfer to copy DNS zone data from another
authoritative DNS server.
It always uses TCP instead of UDP.
An AXFR is part of the DNS protocol. An alternative transfer could
be done outside of DNS, such as with Rsync.
Partial transfers can be done using IXFR.
the scope of authority, responses should only be trusted when come from server with its bailiwick.
For example. a response for a "www.example.COM" query should not contain
Stores the record up to the time-to-live time. The resolver doesn't have to lookup the same query frequently for long TTLs.
country-code TLD, like DE and NZ.
Often ccTLD domain names are assigned under an additional second level
domain, like tx.us and co.uk.
Defines the schema for the record types and resource record data. For common DNS it is the Internet (IN) class.
The Canonical Name or alias resource record type. Its target (resource record data) is the new domain name to lookup using the original resource record type in the new query.
With a CNAME, a domain name points to another domain name to get its value.
This may be used for management purposes to reduce changes or to point
multiple domain names to the same address, for example.
A common example is "www.example.org." CNAME which points to
"example.org." which has an A (address) record.
CNAMEs can point to domain names that are also CNAMEs,
but following the chain of CNAMEs is restricted by resolvers
(such as a fifteen CNAME chained limit).
A CNAME cannot be at an apex (which requires a SOA and NS record)
as it cannot be at same name as another record type other than RRSIG.
The zone uses a NS (name server) record to identify what authoritative server is next responsible for the domain. Basically an answer says "look here instead". This is provided in the authority section.
a resource record type containing the public part of a cryptographic key used to verify a digital signature record (RRSIG).
The DNSKEY also has a RRSIG signature which was made by another
cryptographic key, such as managed by a parent domain.
Resolvers using DNSSEC use DNSKEY records (or DS
records) for the "." dot (root domain)
to begin a chain of trust.
DNSSEC is a security protocol built on-top of and compatible with DNS.
It offers additional records included with DNS responses to provide
a chain of trust and signatures to help validate where the data
comes from and wasn't modified.
is a subtree of the DNS which defines who is responsible and lists all its immediate delegated subdomains or non-delegated leaf names.
In ordinary or familiar use, a "domain" is the name in question, such as a name
of a website.
is either the name at the apex or for a domain or a complete fully qualified domain name (FQDN). Normally, for example for "www.example.org" the domain name is just "example.org."
The maximum domain name length is 255 characters.
DoS, Denial of Service
DNS via UDP can be used with spoofed sender address with queries that send back large responses to a targeted device to cause a Denial of Service.
Single period as the domain name is the top-level root-domain. Domain names end with a dot.
Commonly, domain names that don't end with a trailing
period in DNS zone files will get a domain name appended to it.
Method to make updates to a DNS zone.
An example use case of a dynamic update is to change
a domain name's A address record to reflect a server's new IP address.
Dynamic Updates are also called RFC2136 DNS updates based on the RFC
that defines the protocol.
Alternative methods include web-based services which receive the
changes over HTTPS and then reload the authoritative DNS server with
the new information.
Various companies provide free or commercial
dynamic DNS services.
Extension mechanisms for DNS helps provide further parameters and features to DNS.
EDNS client subnet (ECS)
A client can provide an IP address subnet which is sent to a server which may use it to provide custom information based on that, such as geo-located content.
a domain name without a resource record, but has a subdomain with a resource record. These are the in-between labels that don't have any records associated with them.
If a SOA polling failed, keep trying until this amount of time. (Contained in SOA record.) After it expires, do not serve the zone data anymore.
Flas are attributes (or bits) that identify the query or what the iterative client can accept; or the attributes sent back from the responding server. Such as authoritative answer (AA bit), truncated, recursion desired bit, and recursion available.
Accepts a query and asks a recursive server to provide a response which the forwarder returns back to its client.
The fully qualified domain name includes the hostname and the domain name. It is the complete and usually unique name.
The address record provided in the additional section which is associated with a NS (name server) delegation record. Allows providing an address to find the next server in a single transaction.
Generic TLD, such as AERO, BANK, CLUB, FURNITURE, and WORK.
The DNS packet header for a query and response contains fixed fields for the
QR query flag,
AA authoritive answer flag,
TC truncated flag,
RD recursion desired flag,
recursion available flag,
Z unused (reserved for future use),
rcode return value code,
QDCOUNT count of records in the question (query) section,
ANCOUNT count of records in the response answer section,
NSCOUNT count of records in the response authority records section,
and ARCOUNT count of records in the additional records section.
16-bit transaction identifier number provided in the query and returned in the response to help match it with the original question. Answers can be spoofed.
obsolete feature to get the query by providing its value; this is not reverse lookups which are normal in-addr.arpa PTR lookups.
The client chases down the answer, one query at a time.
This is a non-recursing query that may provide a partial answer
or the answer refers the client to name servers that may have the information.
The in-addr.arpa domain managed by IANA provides NS delegations
for IP addresses listed in reverse octet order.
It is used to do reverse lookups of IP addresses to find names via PTR records.
For example, the IP address 22.214.171.124 is represented as
126.96.36.199.in-addr.arpa. which contains a PTR record of www.iana.org.
An optional and obsolete feature to map resource records back to
These are not reverse lookups which are normal in-addr.arpa PTR lookups.
IXFR is the incremental zone transfer which only transfers changed records.
A full transfer is done using AXFR.
A label is a single part of a domain name between the periods;
for example, www.example.net, has three labels.
The maximum label length is 63 characters.
Delegated name servers aren't really available or provide non-authoritative data.
Lameness can also be caused by other mistakes in defining NS records.
Letters, digits, hyphens, but note that the DNS does not restrict labels to LDH.
Formerly, domain name labels (separated by periods) could only be made from
letters, digits, and hyphens.
also known as the "primary" server is the main authoritative server where secondaries may poll and do zone transfers from.
The plain text zone file loaded by the authoritative server.
MX (mail exchange)
Records that provide names of mail servers which will handle incoming email for a domain. The records have a priority number where lower numbers are tried first.
Negative answers are failed DNS lookups.
Failures include NXDOMAIN and SERVFAIL.,
Failed DNS lookups where the name exist
but not for the queried type will return a NOERROR status with
a zero answers count.
Negative cache TTL
Last SOA field, previously called the "minimum" used to set the TTL for caching that no answer was authoritatively provided. So a resolver doesn't repeated send queries for a NXDOMAIN, for example.
An authoritative server tells a secondary server that there is an updated zone to check for.
The DNS NOTIFY may be used to trigger a zone transfer.
The NS record defines the authoritative nameservers for a domain.
The nameserver record creates a subzone or delegation by defining multiple name servers that are responsible for the domain. (The NS is in the parent zone and in the its own zone.)
When a resolver asks an authoritative server about a domain it is a parent
of, that authoritative server will respond with zero answer count,
with the NS records in the Authority Section.
If it helps, it may provide the address for those NS records
in the Additional Section (as glue).
Status result for no such domain when there is no domain name (the domain name doesn't exist) regardless of its type. Note if the domain name exists but with a different type, then there will be a "No error" response with no answer instead.
DNS server accepts zone updates from a malicious source, or DNS resolver accepts DNS answer from non-authoritative source.
An example of DNS poisoning is when a DNS caching resolver is triggered
to do a query and an unrelated third-party software attempts to feed
in a legitimate answer (to be cached or reused) before the real
nameserver's answer is received.
The pointer record is used to map an IP address, written in reverse IP octet order, and commonly within the IN-ADDR.ARPA. domain, to provide the name for that address. Used for reverse name mapping.
the query name is the domain name in the question.
client asking a DNS server a question with a domain name and the record type (and class).
Also called a "lookup".
Common tools for manually doing queries and seeing results are nslookup, dig, and host.
The record contains the domain name, the TTL, the record type, and the resource record data. There may be multiple record types and/or multiple (even different) datas for the same domain name.
The data type of a resource record which identifies
the characteristics of the resource record value.
A domain name may have multiple types (accept for a CNAME limitation).
Different types may represent different amounts of data,
for example: AAAA type contains a single IPv6 address;
a MX type contains a priority number and a mail server hostname;
and a TXT type can contain up to 65535 characters of multiple arbitrary strings.
A server that will do multiple iterative queries on behalf of a client
to chase down and provide a final answer.
a response without answer section but includes at least one child
authoritative name server (that is closer to finding the answer)
and optionally an additional section has the glue (IP for them).
The wait before asking master for current SOA (to get serial number to see if should do a zone transfer). (Contained in SOA record.)
Over UDP, an attacker forges their source IP address so that the nameserver will respond to an unrelated system. Many small legitimate queries can result in many large responses resulting in an amplification attack on the victim potentially causing a denial of service.
This may be done from many attackers all spoofing the same source IP address for a Distributed Denial of Service (DDoS).
Response Rate Limiting (RRL) provides some techniques to help lower the reflection attacks while allowing some legitimate traffic to still work.
The organization which operates a top-level domain. (For example, Verisign is the operator or registry for COM.)
The company that manages registrations and fees for domain names (by registrants), such as Godaddy and Joker.
Resource record data (rrdata)
The data associated with a record type for a domain name.
The format, number of fields, allowed text in the fields
— or the presentation of the data depends on the type.
For example, an A address record will only accept a valid IPv6 address.
Response Rate Limiting (RRL)
As a workaround for UDP being abused for denial of service reflection attacks, Response Rate Limiting will periodically respond with a Truncated (TC) response or drop some responses entirely, such at 200 queries-per-second for the same IP address, network, or zone name, etc. Since not all traffic is stopped, some valid traffic may still work.
Try polling again for SOA record after this amount of time after a refresh failed. (Contained in SOA record.)
A reverse lookup is used to find a domain name for a provided IP address.
It is done via DNS under the in-addr.arpa zone.
Is the top of the DNS domains tree. The root-servers know about all the nameservers for the top-level domains (TLDs), but not the record data for subdomains.
When multiple resource record data is provided for a single query, only a single data is randomly used. (Called a poor-man's load balancer when used with address records for example.)
RRSET, resource record set
A resource record set is one or more resource records for the same
name which may include different types and values.
The order they are provided depends on the server configuration
and may not depend on the original source.
A client looking up the name for the type may choose to use one
or more of the records in the set.
For example, a domain name with multiple A address records
may be used as a simple round-robin load balancer where the clients
use just one of the addresses somewhat randomly.
also sometimes known as "slave" is another authoritative server
hosting the same zone data has hosted and provided by a primary
authoritative server (which may stealth hidden or public).
SLD, secondary level domain
A domain registration commonly under a ccTLD which requires or
includes a second label (from the right) that the domain is under;
for example, hsbc.co.uk is under the "co.uk" SLD.
Sender Policy Framework, SPF
Sender Policy Framework record to define authorized IP addresses for sending email for a domain. (Used a proposed record type, SPF, but now commonly provided in TXT records.)
Used by secondary authoritative servers to know if there is a new copy of the zone to transfer in.
There are two types of servers: authoritative which provide official answers or NS delegation records; and recursive caching servers which help clients look for answers.
A nameserver that provides different results for different groups
of queries, such as both internal and external services
with different data.
This may be used for authoritive stealth DNS
or to provide internal custom resolver services, for example.
Start of authority (SOA)
Identifying record type for a domain. The resource record data provides seven attributes: main server name, contact email address, serial number, zone transfer refresh, retry, and expire timers, and cache timer for negative responses. As an answer this is used for secondary server polling. It is also returned in the authority section for when the domain name or domain name plus type pair doesn't exist.
The error code returned with the response, such as format error, server failure, no such name error, and refused. "No error" implies that a valid response is provided even if an answer is not provided.
Stealth servers or stealth data are not seen in public records.
Stealth servers, for example, may be used for internal DNS management
as a primary authoritative nameserver that provides zones for
public secondary authoritative nameservers.
A nameserver that provides both internal and external service
with different data is called a split DNS.
A client that can do a single query. Normally a stub forwards a question to a full featured caching recursive server.
DNS is available over IP/TCP (virtual circuits) on port 53.
Zone transfers also use TCP.
The top level domain is the first label (from right hand side) of a domain name, such as COM or GOV, UK or US (ccTLDs), and MUSEUM or NEWS (gTLD).
There are 3030 TLDs (as of July 2020).
The first TLDs were GOV, EDU, COM, MIL, and ORG.
When a UDP-based response is larger than supported, a partial answer is returned
with a truncated flag (TC) indicating that the client should query again using TCP to get the full response.
A DNS technique using shared secrets to authenticate DNS end-points (generally between servers).
The time-to-live is the time that a server may cache the answer (resource record data).
Answers returned from the cache should have the TTL time decremented
accordingly based on how long it was cached.
While the largest number is 2147483647 which is around 68 years,
most caching resolvers limit caching to one day or one week.
The common recommendation is to use 5 minutes to one day for the TTL.
When changing the data (value) for a resource record, TTLs could be
reduced before, to limit how long stale, older data is stored in
There is no part of the protocol to tell a third-party cache to flush
or reload unexpired domain names.
A record containing free-form textual data. It is commonly used to provide SPF
A character string can contain up to 255 characters,
but a TXT record can contain multiple character strings up to
(Commonly in a primary zone file, the separate TXT strings
are contained within "double quotes.")
Commonly DNS questions and responses are sent over IP/UDP (datagrams)
on port 53.
It usually has better performance with side-effects of spoofing possibility,
data size limits, and Denial of Service abuse.
(DNS is required to be available over TCP also.)
A resolver that fetches and understands DNSSEC records and verifies that the chain of trust is correct and the data isn't modified and is within a valid time period.
An asterisk used as a left-hand-side label name in a zone file configuration will match any undefined name (at that record type).
A single configuration of DNS records hosted on an authoritative server. This can contain subdomains or can delegate subdomains in another zone which are commonly hosted on a different server.
The act of transferring a zone file (using AXFR or IXFR) from one authoritative server to another for synchronized redundancy. Commonly, a secondary server will poll the other server for its SOA every REFRESH interval and compares the
serial number to see if a new zone is available.